BadTunnel Security Flaw Affected All Windows Versions For 20 Years

A Chinese security researcher has uncovered a serious vulnerability in all versions of the Windows operating system, from Windows 95 to Windows 10, meaning users have been vulnerable for more than 20 years.

The good news is that Microsoft has already fixed the flaw in its latest Patch Tuesday security update, allowing Yang Yu, the founder of Tencent’s Xuanwu Lab, to reveal details of what has been named ‘BadTunnel’ in an interview with Dark Reading.

BadTunnel Flaw

The bug is extremely serious as it affects all versions of Microsoft Windows, right from Windows 95 through to Windows 10. The seriousness of the bug meant that Yu reportedly earned Microsoft’s top bug bounty reward of $50,000 (£35.063).

“This vulnerability has a massive security impact – probably the widest impact in the history of Windows,” Yu is quoted as saying. “It not only can be exploited through many different channels, but also exists in all Windows versions released during the past 20 years. It can be exploited silently with a near perfect success rate.”

But what exactly is the BadTunnel? Well it is not a piece of malware. Rather it is a technique for NetBIOS-spoofing across networks due to bad coding within Windows. It allows the attacker to gain access to network traffic without being on the victim’s network. It also bypasses firewall and Network Address Translation (NAT) devices, and the flaw can allow any any program to run.

“This vulnerability is caused by a series of seemingly correct implementations, which includes a transport layer protocol, an application layer protocol, a few specific usage of application protocol by the operating system, and several protocol implementations used by firewalls and NAT devices,” Yu reportedly said.

Network Hijack

The way it works is the attacker gets the victim to visit a booby trapped web page using with Microsoft Edge or Internet Explorer. Or the victim could install a malicious flash drive or open a rigged Office document.

According to Dark Reading, the attacker’s site appears as either a file server or a local print server, and hijacks the victim’s network traffic – HTTP, Windows Updates, and even Certificated Revocation List updates via Microsoft’s CryptoAPI.

Essentially, BadTunnel exploits a series of security weaknesses, including how Windows resolves network names and accepts responses. When all of these flaws are taken together, it makes the network vulnerable to a BadTunnel attack.

Yu reportedly began uncovering the flaw during a flight last year. He was bored and began to imagine new attack scenarios, and once on the ground began testing his theory on different system configurations, and finally discovered this vulnerability in the Windows operating system.

He reported his finding to Microsoft in January, but has not come across any attacks of this nature in the wild.

The flaw was addressed this week by Microsoft in security bulletin MS16-077.

What do you know about Windows 10? Try our quiz?